The Asian-Pacific region (APAC) is the global leader in having both the largest population of high-net-worth individuals (HNWIs) and the highest amount of HNWI wealth, according to the World Wealth Report.¹ Although the demand for digital capabilities is high globally, the region has the largest share. Our views on digitizing wealth management operations are therefore influenced by the attention on this region, but we believe that they are applicable to the industry as a whole. In APAC, tech-savvy new-rich millennials demand a multi-channel delivery model from wealth management firms. Clients are more willing to use low-cost, high-end digital product propositions such as robo-advisory wealth management services. This is a serious wake-up call for wealth management (WM) firms that are still depending on a traditional servicing model. WM firms will need to embrace digital technologies or accept the potentially detrimental consequences to their business. At the same time, changing delivery models create new opportunities for wealth managers to differentiate themselves from the competition. Incumbents with long-term established client relationships have a head start. Maintaining the client’s trust that comes with this relationship, while digitizing a wealth management business, requires strong cyber security controls to be put in place.

Cyber Security as a Competitive Edge for Wealth Managers

Wealth managers must come to terms with the importance of cyber security on their digital operations, and the possible impact on their brand and reputation. To become forward-thinking business leaders, they must educate themselves on how the digital landscape impacts their operations. This includes potential pitfalls and complexities of digital threats. The ongoing digitization process has made data breaches by malicious hackers “the new norm”. Therefore, cyber security is no longer an IT risk. It is an operational risk. In case of a data breach, the board is accountable for proper security arrangements.

Digitizing wealth management operations translates into offering superior services and rich experiences. This includes ensuring the confidentiality, integrity and availability of personal data and information. The challenge for WM firms is to deal with cyber security in a faster-changing environment than ever before. Unfortunately, cyber security is often seen as an impedance to business innovation. However, we observe that clients are becoming more aware of cyber risks. Wealth managers must implement stricter cyber security controls. They are now judged on their technologies, policies and procedures to respond to cyber attacks. Although there seems to be a general understanding that the threat cannot be eliminated, only focusing on protective measures is not enough. WM firms that are well prepared before, during and after a data breach earn the trust of their most important clients, giving them a competitive edge.

Adopt a Strategy that Offers Cyber Resilience

A cyber resilience strategy allows open and connected digital wealth management operations. This strategy ensures that cyber security controls support business outcomes. It combines the strengths of information security, business continuity and organizational resilience. If a WM firm applies a cyber-resilient framework to their digital operations, then it aligns security from a risk-based approach. This approach is unique and tailored to the digital WM firm, its operations and business objectives. In this cyber resilience strategy the firm takes into consideration that:

1. a data breach is not a matter of “if” but a matter of “when”, and
2. people (i.e. “the human element”) are the weakest link in the cyber security chain.

It differs from the traditional and outdated cyber security strategy of only focusing on protection (i.e. building a wall between the business and the outside world). Cyber resilience allows the WM firm to accept potential failure in order for its operations to thrive. Operational risks would be mitigated to a predefined acceptable minimum. In this context, wealth managers move to the implementation of building capabilities that ensure better prevention, detection and recovery from cyber attacks. Sophisticated access controls with two-factor authentication and advanced persistent threat (APT) solutions are deployed to prevent malicious hackers and traffic from entering the firm’s network. These solutions are monitored 24/7 in second-generation security operation centres (SOC) to ensure timely detection of attacks. Together with the implementation of integrated IT and business continuity procedures, these firms ensure that backup data and systems can be restored in a timely manner with limited disruption of the business in case of a breach.

Increase Customer Experience with Cyber Resilience

Cyber resilience goes hand in hand with better customer experience. Cyber resilience measures give the end-user peace of mind. In turn, it increases the customer’s trust in and satisfaction with a digital product, service or platform. We have noticed that successful WM firms devise a customer-centric approach towards cyber security and their digital business model. They are able to reimagine the way both the client’s relationship and cyber security are being optimized. This develops a connection with customers that feels safe. Examples of controls that add value to the customer experience and trust are:

• clear communication about the company’s cyber resilience strategy;
• allowing users to choose between different levels of security (e.g. use of biometrics instead of passwords) while maintaining a secure company baseline;
• outstanding customer service for cyber security-related questions such as password resets.

Target Your Cyber Security Investments

Wealth managers must prioritize their cyber security spending when adapting a cyber resilience strategy. It is about building the right cyber security capabilities in line with the digitization strategy. This means that wealth managers should take a step back and look at their current state and future expectations. Next, they should target which areas to make their cyber security expenditures on. Many wealth managers will find that IT budgets are not only insufficient, but also being invested inefficiently.

A strong cyber resilience strategy includes both technology and business expertise. Change management is needed. The board and senior management must recognize that digitization and cyber security are top priorities. Risks should be mitigated from a business perspective by using preventive measures, and building holistic incident response capabilities. The focus is on investing in capabilities that can deal with risks from a people, processes and technology perspective.

Put the Customer at the Centre of Your Cyber Resilience Strategy

A customer-driven approach ensures a digitally and emotionally connected relationship. We observe that banks are moving away from one-size-fits-all approaches to protect their business. A discussion about customers’ experience and security often leads to user access controls. User access controls are security techniques that regulate the authentication and authorization of resources in a digital environment. To match the specific needs of their clientele, banks are using customer segmentation methods in their security models. We believe that wealth managers should follow the same route. By using data intelligence, wealth managers will be able to analyse and understand how customers perceive the interaction of cyber security in their digital environment. The key is to take away cyber risks from the end-user, and to put the decision for a preferred level of security in that user’s hands. This builds trust.

This brings us to a baseline security model. To implement a customer segmentation method, it is vital that a baseline is established. The baseline is the result of risk tolerance and a minimum level of security needed, and is predefined by senior management. We can imagine the baseline as a horizontal threshold line (e.g. “security level-1”). Under the baseline we will find investments in sophisticated security capabilities, such as behavioural analytics against insider threats,² cloud access security brokers³ for user authentication of cloud solutions, and cyber intelligence to prevent ransomware and phishing attacks.⁴ They allow for early prevention, detection and response against threats. Above the baseline, we can then enable the customer to choose their own security preferences in the digital environment (e.g. “security level-2”, “security level-3”, etc.).

The reason behind this is that customers are unable to distinguish good or bad security. And once customers are being segmented into groups, it is most likely that we will find end-users who either prefer convenience or security more, and a group of end-users that would not mind making trade-offs either way.⁵ At face value, this process seems like a daunting task, but this is not the case. It does imply that it is critical that cyber security has been brought in early in the design of new products/solutions and customer journeys.

Wealth Managers Should Learn from the Technology Firms

In this chapter we discussed digitization with the emphasis on security, scalability and consumer experience. Cyber security is both a cost and an investment consideration. If only dealt with from an afterthought perspective, it can become a significant cost factor: a continuous stream of applying updates and patches is expensive, slows down operations and is ineffective against a determined malicious hacker. Wealth managers should take a cue from the playbooks of large banks and technology firms. Many firms that have implemented digital operations are considering themselves a technology company. For example, JPMorgan and Deutsche Bank consider themselves technology companies with a banking licence.^6,7

From a cyber risk perspective, all major banks and technology firms have a way to test their cyber resilience strategy. This is also a starting point for a wealth manager: test the firm’s cyber security controls and proactively search for advanced threats in the company’s IT network that can be exploited, so-called threat-hunting. Any cyber resilience strategy that does not test all layers of the organization is both inefficient and ineffective. The security of large banks and technology firms is tested structurally and periodically by technical penetration testers, social engineering experts and IT auditors. These experts evaluate people, processes and technologies against best practices. They leverage their experience and creativity from a hacker’s point of view to reveal vulnerabilities.

Ultimately, we believe that the change digitization brings should be holistic instead of incremental. This means doing cyber security right from the start.